On Fri, 2016-08-19 at 13:36 +0200, Florian Westphal wrote:
> With stats enabled this eats 80 bytes on x86_64 per nf_conn entry.
>
> Remove it and use a 32bit jiffies value containing timestamp until
> entry is valid.
Great work !
...
> +/* caller must hold rcu readlock and none of the nf_conntrack_locks */
> +static void nf_ct_gc_expired(struct nf_conn *ct)
> +{
> + if (!atomic_inc_not_zero(&ct->ct_general.use))
> + return;
> +
> + if (nf_ct_should_gc(ct))
> + nf_ct_kill(ct);
> +
> + nf_ct_put(ct);
> +}
> +
> /*
> * Warning :
> * - Caller must take a reference on returned object
> @@ -499,6 +505,17 @@ begin:
> bucket = reciprocal_scale(hash, hsize);
>
> hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[bucket], hnnode) {
> + struct nf_conn *ct;
> +
> + ct = nf_ct_tuplehash_to_ctrack(h);
> + if (nf_ct_is_expired(ct)) {
> + nf_ct_gc_expired(ct);
> + continue;
> + }
> +
> + if (nf_ct_is_dying(ct))
> + continue;
> +
> if (nf_ct_key_equal(h, tuple, zone, net)) {
> NF_CT_STAT_INC_ATOMIC(net, found);
> return h;
Florian, I do not see how this part is safe against concurrent lookups
and deletes ?
At least the hlist_nulls_for_each_entry_rcu() looks buggy, since
fetching the next pointer would trigger a use after free ?
Thanks !
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
